Late last night Facebook CEO Mark Zuckerberg announced in a blog post, Update on Terms, that they have rolled back the recent changes to their Terms of Service agreement and restored the previous one.

“Many of us at Facebook spent most of today discussing how best to move forward. One approach would have been to quickly amend the new terms with new language to clarify our positions further. Another approach was simply to revert to our old terms while we begin working on our next version. As we thought through this, we reached out to respected organizations to get their input.

Going forward, we’ve decided to take a new approach towards developing our terms. We concluded that returning to our previous terms was the right thing for now. As I said yesterday, we think that a lot of the language in our terms is overly formal and protective so we don’t plan to leave it there for long.”

The NYT reported the change in a story today, Facebook Withdraws Changes in Data Use.

In his post, Zuckerberg continued by observing that with 175 million members, if it were a country, it would be the sixth most populated one in the world. Of course, sometimes a population revolts and lays claim to certain unalienable rights, among theme being life, liberty, pursuit of happiness and ownership of one’s online content.

So, the missing clause is back in the FB TOS:

“You may remove your User Content from the Site at any time. If you choose to remove your User Content, the license granted above will automatically expire, however you acknowledge that the Company may retain archived copies of your User Content.”

This revision is dated 23 September 2008. Curiously, I checked the Internet Archive to review the history of FB’s TOS but found that there are no archived copies after 12 October 2007. I can only imagine that FB asked the Internet Archive to stop saving copies of this public page. I note that the last archived copies of many of their public pages (e.g., privacy policy, developers page, etc.) are also from 2007. These pages are not blocked by the FB robots.txt and are normally accessible to anyone, so it must be by a specific request that they not be archived.

That’s too bad. Having an easy way to see how the policies of important social sites like FB evolve would be a great resource to those who study online social media as well as to many curious users.

2/18 Update: FB reverted its TOS to the previous version early on 18 Feb 2009.

Consumerist has a post on a change in Facebook’s Terms of Service agreement that became effective on 4 February: Facebook’s New Terms Of Service: “We Can Do Anything We Want With Your Content. Forever.”

Both the new Facebook TOS and the previous TOS made these aggressive claims on your content.

“You hereby grant Facebook an irrevocable, perpetual, non-exclusive, transferable, fully paid, worldwide license (with the right to sublicense) to (a) use, copy, publish, stream, store, retain, publicly perform or display, transmit, scan, reformat, modify, edit, frame, translate, excerpt, adapt, create derivative works and distribute (through multiple tiers), any User Content you (i) Post on or in connection with the Facebook Service or the promotion thereof subject only to your privacy settings or (ii) enable a user to Post, including by offering a Share Link on your website and (b) to use your name, likeness and image for any purpose, including commercial or advertising, each of (a) and (b) on or in connection with the Facebook Service or the promotion thereof.”

That was bad enough, but at least Facebook relinquished those rights on your content if you dropped out. But no longer. The following clause from the old TOS has been dropped.

“You may remove your User Content from the Site at any time. If you choose to remove your User Content, the license granted above will automatically expire, however you acknowledge that the Company may retain archived copies of your User Content.”

Just to make it absolutely clear how screwed you are, the new TOS also adds the following.

“The following sections will survive any termination of your use of the Facebook Service: Prohibited Conduct, User Content, Your Privacy Practices, Gift Credits, Ownership; Proprietary Rights, Licenses, Submissions, User Disputes; Complaints, Indemnity, General Disclaimers, Limitation on Liability, Termination and Changes to the Facebook Service, Arbitration, Governing Law; Venue and Jurisdiction and Other.”

By the way, if you’ve used Facebook in any way since 4 February, you have already accepted the new TOS.

“We reserve the right, at our sole discretion, to change or delete portions of these Terms at any time without further notice. Your continued use of the Facebook Service after any such changes constitutes your acceptance of the new Terms.”

And if you want to take them to court, Fugetaboutit.

“Except as set forth in the paragraph below, you agree that all claims and disputes between you and Facebook that arise out of or relate in any way to the Terms or your use of the Facebook Service will be resolved either by (a) binding arbitration by a single arbitrator in Santa Clara County, California or (b) binding non-appearance based arbitration conducted by telephone, online or based solely on written submission.”

All your base are belong to Facebook.

According to an article in Der Spiegel, Does Google Know Too Much?, many in Germany are concerned with Google’s broad range of information gathering.

Google gathers so much detailed information about its users that one critic says some state intelligence bureaus look “like child protection services” in comparison. A few German government bodies have mounted a resistance.

I liked the accompanying graphic that shows Google’s many services.

Thilo Weichert, head of Schleswig-Holstein’s Independent State Agency for
Data Protection, has issued a public warning about Google Analytics, the
system that many web site owners use to collect aggregate information about
their visitors.

“Most users of the product aren’t entirely aware that by operating Google
Analytics they’re utilizing a service that transfers data to the United
States, to be broadly used and exploited,” he has written. “This violates
the data privacy laws protecting those who use the Web sites.” Google
reacted with a letter to the governor of Schleswig-Holstein, warning of
economic losses and demanding that Weichert be called off his attack.

Such reactions only incite Weichert. “The company operates in an
unacceptably non-transparent manner,” he says. “Their users are basically
standing naked in front of them, and Google itself discloses only what is
absolutely necessary assure.”

I’ve seen the following attributed to Woody Allen:

Question: what’s a three syllable word beginning with ‘P’ that means you think that everybody’s against you?
Answer: perceptive.

It’s fashionable in some circles to be paranoid about Google. If they ever do abandon their Don’t be evil informal motto then we are all in trouble. Search engines can gather a lot of information about a person’s interests. While Google is not the only search engine available, they have assembled quite an array of Web systems, including gmail, Google reader, Google groups, DoubleClick, Feedburner and many more. They would be in a good position to integrate a lot of information about a person’s behavior on the Web.

Enter Google Chrome.

If you own the browser, you can get the full range of a person’s Web activities. What worries some is that each Google Chrome installation contains a unique ID, which could be used to identify its user. The German company Abelssoft has released UnChrome as an application that effectively makes your copy of Google Chrome anonymous.

“Regarding to Google, “Google Chrome is a browser that combines a minimal design with sophisticated technology to make the web faster, safer, and easier”. Unfortunately, each Google Chrome installation contains a unique ID that allowing identifying its user. Google doesn’t make it an easy job to remove this ID.

UnChrome helps you with this task. It replaces your unique ID with Null values so that your browser cannot be identified any longer. The functionality of Google Chrome is not influenced by this. You only need to apply UnChrome once.”

I think this is paranoia rather than being perceptive, but just because you’re paranoid doesn’t mean they aren’t out to get you.

The September 2008 Scientific American is a special issue on The Future of Privacy. The issue has a good range or articles that all look like they are well worth reading and touch on all of the theme in our new MURI project on assured information sharing.

• Privacy in an Age of Terabytes and Terror. Peter Brown. Introduction to SciAm’s issue on Privacy. Our jittery state since 9/11, coupled with the Internet revolution, is shifting the boundaries between public interest and “the right to be let alone.”
• Data Fusion: The Ups and Downs of All-Encompassing Digital Profiles. Simson L. Garfinkel. Mashing everyone’s personal data, from credit card bills to cell phone logs, into one all-encompassing digital dossier is the stuff of an Orwellian nightmare. But it is not as easy as most people assume.
• Do Social Networks Bring the End of Privacy?. Daniel J. Solove. Young people share the most intimate details of personal life on social-networking Web sites, such as MySpace and Facebook, portending a realignment of the public and the private.
• How Loss of Privacy May Mean Loss of Security. Esther Dyson. Many issues posing as questions of privacy can turn out to be matters of security, health policy, insurance or self-presentation. It is useful to clarify those issues before focusing on privacy itself.
• Cryptography: How to Keep Your Secrets Safe. Anna Lysyanskaya. A versatile assortment of computational techniques can protect the privacy of your information and online activities to essentially any degree and nuance you desire.
• Internet Eavesdropping: A Brave New World of Wiretapping. Whitfield Diffie and Susan Landau. As telephone conversations have moved to the Internet, so have those who want to listen in. But the technology needed to do so would entail a dangerous expansion of the government’s surveillance powers.
• How RFID Tags Could Be Used to Track Unsuspecting People. Katherine Albrecht. A privacy activist argues that the devices pose new security risks to those who carry them, often unwittingly.
• Beyond Fingerprinting: Is Biometrics the Best Bet for Fighting Identity Theft?. Anil K. Jain and Sharath Pankanti. Security systems based on anatomical and behavioral characteristics may offer the best defense against identity theft.
• Digital Surveillance: Tools of the Spy Trade. Steven Ashley. Night-vision cameras, biometric sensors and other gadgets already give snoops access to private spaces. Coming soon: palm-size “bug-bots”.
• Tougher Laws Needed to Protect Your Genetic Privacy. Mark A. Rothstein. In spite of recent legislation, tougher laws are needed to prevent insurers and employers from discriminating on the basis of genetic tests.
• Industry Roundtable: Experts Discuss Improving Online Security. Experts from Sun, Adobe, Microsoft and MacAfee discuss how to protect against more numerous and sophisticated attacks by hackers; security professionals call for upgraded technology, along with more attention to human and legal factors.

There is an interesting panel to open the Microsoft faculty research summit featuring Rick Rashid, Daniel Reed, Ed Felten, Howard Schmidt, and Elizabeth Lawley. Lots of interesting ideas, but one that got thrown out was the recent idea that maybe the world does only need five (cloud) computers. If something like this really does happen, then perhaps we’ll need to think even more aggressively about the information sharing issues — is there some way for me to make sure that I only share with (say) Google’s cloud the things that are absolutely needed. Once I have given some information to Google, can I still retain some control over it. Who owns this information now? If I do, how do I know that Google will honor whatever commitments it makes about how it will use or further share that information ? We’ll be exploring some of these questions in our “Assured Information Sharing” Research. Some of the auditing work that MIT’s DIG group has done also ties in .

A UMBC led team recently won a MURI award from DoD to work on “Assured Information Sharing Lifecycle”. It is an interesting mix of work on  new security models, policy driven security systems, context awareness, privacy preserving data mining, and social networking. The award really brings together many different strains of research in eBiquity, as well as some related reserach in our department. We’re just starting off, and excited about it. UMBC’s web page had a story about this, and more recently, GCN covered it.

The UMBC team is lead by Tim Finin, and includes several of us. The other participants are UIUC (led by Jiawei Han), Purdue (led by Elisa Bertino),  UTSA (led by Ravi Sandhu), UTDallas (led by Bhavani Thurasingham), Michigan (Lada Adamic).

As the news media have all reported, Lori Drew has been indicted for her role in the death of a teenager. You may recall that this person, with her daughter and her friend, created a fake MySpace account, pretend to befriend another teen, and then “dump” her. The other teen committed suicide.  Opinions are split on whether being mean to a person, even to a kid, is a criminal offense that should lead to prosecution, as opposed to societal opprobrium.

What interested me however that of the four counts of the indictment, three had to do with violating the Terms of Service –in particular creating a fake profile, and using this fake profile to obtain information from the server. This was done under federal laws that criminalize unauthorized access — things like hacking into a server. So does this mean that the legal theory being advanced by the US Attorney for the Central District of California is that creating a fake account on an internet service is criminalizable if the ToS of the provider say that you should give accurate information ?  Certainly many experts that USA Today talked to seem to think so. No more creating accounts with fictitious names at newspaper sites that many people can use ? How about using the right name, but messing up some of the information ( income level, demographics) at each site so that they can’t datamine you ? Or not providing the right contact information (a@b.com), so that they can’t sell it to telemarketers ? Or any of the various other things that people routinely do in terms of providing incomplete or incorrect information. The penalty now can be criminal, not just a shutting down of access to the site concerned. Hmmm…….

Today’s Washington Post has a story, Electronic Passports Raise Privacy Issues, on the new passport card that’s part of the DOS/DHS Western Hemisphere Travel Initiative. The program is controversial since the cards use “vicinity read” radio frequency identification (RFID) technology that can be read from a distance of 20 or even 40 feet. This is in contrast to the ‘proximity read’ RFID tags in new US passports that require that the reader be within inches. The cards will be available to US citizens to speed their processing as they cross the borders in North America.

“The goal of the passport card, an alternative to the traditional passport, is to reduce the wait at land and sea border checkpoints by using an electronic device that can simultaneously read multiple cards’ radio frequency identification (RFID) signals from a distance, checking travelers against terrorist and criminal watchlists while they wait. “As people are approaching a port of inspection, they can show the card to the reader, and by the time they get to the inspector, all the information will have been verified and they can be waved on through,” said Ann Barrett, deputy assistant secretary of state for passport services, commenting on the final rule on passport cards published yesterday in the Federal Register. src”

As described in the ruling published in the Federal Register, the Government feels that privacy concerns have been addressed.

“The government said that to protect the data against copying or theft, the chip will contain a unique identifying number linked to information in a secure government database but not to names, Social Security numbers or other personal information. It will also come with a protective sleeve to guard against hackers trying to skim data wirelessly, Barrett said.” src

Of course, if you carry the card in your purse or wallet, your movements can still be tracked by the unique ID on the card. There are also security concerns since the tag’s ID may be cloned.

“Randy Vanderhoof, executive director of the Smart Card Alliance, represents technology firms that make another kind of RFID chip, one that can only be read up close, and he is critical of the passport card’s technology. It offers no way to check whether the card is valid or a duplicate, he said, so a hacker could alter the number on the chip using the same techniques used in cloning. “Because there’s no security in the numbering system, a person who obtains a passport card and is later placed on a watchlist could easily alter the number on the passport card to someone else’s who’s not on the watchlist,” Vanderhoof said.” src